Analysis

  • max time kernel
    203s
  • max time network
    31s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23/11/2022, 22:05

General

  • Target

    c1f3b41db9bd1059bb7ca4ca159c2ef8e86899fac297d5a0eca72a8792f9b781.exe

  • Size

    433KB

  • MD5

    35797677ce25d743546bf9bac87c255c

  • SHA1

    608b5fe7326cd57be1c7e71e33939aa70b1eca2c

  • SHA256

    c1f3b41db9bd1059bb7ca4ca159c2ef8e86899fac297d5a0eca72a8792f9b781

  • SHA512

    2dcc6a1accab412006082f8e713278dd4f8eb05fef92d0fb97a883cfb6bf5c06bb3fe15150f520f9b6b307dd8d9957ff857b47da605dd7495ff003ecdc865698

  • SSDEEP

    12288:x57qSYh+Tu1lxHxCgpcAnirLS9Mm5fmXHdI3:n7jYhcExN0i9MsfYA

Malware Config

Extracted

Family

xtremerat

C2

gaetano1997.no-ip.org

Signatures

  • Detect XtremeRAT payload 6 IoCs
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NTFS ADS 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c1f3b41db9bd1059bb7ca4ca159c2ef8e86899fac297d5a0eca72a8792f9b781.exe
    "C:\Users\Admin\AppData\Local\Temp\c1f3b41db9bd1059bb7ca4ca159c2ef8e86899fac297d5a0eca72a8792f9b781.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • NTFS ADS
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2044
    • C:\Users\Admin\AppData\Local\Temp\c1f3b41db9bd1059bb7ca4ca159c2ef8e86899fac297d5a0eca72a8792f9b781.exe
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2024
      • C:\Windows\SysWOW64\svchost.exe
        svchost.exe
        3⤵
          PID:520
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
            PID:1704
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
        1⤵
        • Drops file in System32 directory
        • Suspicious use of FindShellTrayWindow
        PID:1548

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Windows\SysWOW64\531images.jpg

              Filesize

              11KB

              MD5

              7ca7c0fe6ec8dfab1bfd88898c6c5393

              SHA1

              017338f40cf8ed6c67597dd905454d73c70cb10a

              SHA256

              5c4d63786705827d9450afef145e96cda8ce854d98cf5598cf28409fdbf26e94

              SHA512

              b18f2b458b4ffd24537350f894aeeaa67f474eab7c340a50ea1ebf4499a8cc4dfcf79c5c18e350495e5a93bad5cac97bdc7b8e2bb0bceb17d9eb83dba3ec990a

            • memory/520-80-0x0000000010000000-0x0000000010050000-memory.dmp

              Filesize

              320KB

            • memory/520-77-0x0000000010000000-0x0000000010050000-memory.dmp

              Filesize

              320KB

            • memory/2024-60-0x0000000010000000-0x0000000010050000-memory.dmp

              Filesize

              320KB

            • memory/2024-63-0x0000000010000000-0x0000000010050000-memory.dmp

              Filesize

              320KB

            • memory/2024-64-0x0000000010000000-0x0000000010050000-memory.dmp

              Filesize

              320KB

            • memory/2024-79-0x0000000010000000-0x0000000010050000-memory.dmp

              Filesize

              320KB

            • memory/2024-69-0x0000000010000000-0x0000000010050000-memory.dmp

              Filesize

              320KB

            • memory/2024-61-0x0000000010000000-0x0000000010050000-memory.dmp

              Filesize

              320KB

            • memory/2024-70-0x0000000010000000-0x0000000010050000-memory.dmp

              Filesize

              320KB

            • memory/2024-72-0x0000000000400000-0x00000000004A8BF4-memory.dmp

              Filesize

              674KB

            • memory/2024-71-0x0000000010000000-0x0000000010050000-memory.dmp

              Filesize

              320KB

            • memory/2044-68-0x0000000000400000-0x00000000004A8BF4-memory.dmp

              Filesize

              674KB

            • memory/2044-57-0x0000000000400000-0x00000000004A8BF4-memory.dmp

              Filesize

              674KB

            • memory/2044-54-0x0000000076691000-0x0000000076693000-memory.dmp

              Filesize

              8KB

            • memory/2044-56-0x0000000000400000-0x00000000004A8BF4-memory.dmp

              Filesize

              674KB

            • memory/2044-55-0x0000000000400000-0x00000000004A8BF4-memory.dmp

              Filesize

              674KB